Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

“RedDrop is one of the most sophisticated pieces of Android malware that we have seen in broad distribution,” said Wandera in an overview of its research published Wednesday. “Not only does the attacker utilize a wide range of functioning malicious applications to entice the victim, they’ve also perfected every tiny detail to ensure their actions are difficult to trace.”

Wandera told Threatpost it’s unsure how many Android devices may be infected with the malware. “One thing we have noticed is that the pace of attempted infections appears to be accelerating,” Wandera said. Since the company initially identified the malware, the company has blocked roughly 20 further requests by infected apps to reach the criminal’s distribution network – where additional malware would be downloaded from.

The apps are being promoted via ads displayed on the popular Chinese search engine Baidu. Researchers said those who click on the ads are “taken to huxiawang[.]cn, the primary distribution site for the attack. The landing pages that follow host various content to encourage and incite the user to download one of the 53 apps within the RedDrop family of malicious apps.”

Once the RedDrop-infected apps are installed the program silently downloads an additional seven Android application packages (APK) that add additional spyware and malicious components such as trojans, premium SMS functionality and additional dropper software.

“When the user interacts with the app, each interaction secretly triggers the sending of an SMS to a premium service, which is then instantly deleted before it can be detected,” the company said.

Data siphoned off phones are uploaded to the attacker’s Dropbox account to be used in conjunction with further attacks and for possible extortion purposes.

“Apps within the RedDrop family request invasive permissions enabling the attack to be conducted without requesting further interaction from the user,” according to Wandera. “One of the more destructive permissions allows the malware to be persistent between reboots. Granting it the ability to constantly communicate with command and control (C2) servers, permitting the covert activation of its malicious functionality.”

“RedDrop malware was first unearthed at a ‘Big Four’ accounting firm back in January, when Wandera detected unusual network traffic from an employee’s device to a series of redirected suspicious URLs,” Wandera said. “Further investigation revealed an APK file being hosted on these domains, and from there more information about the wider threat was uncovered.”

After its installation, the malware infected app downloads the additional APKs and JAR files from the attacker’s C2 servers, storing them on the device’s memory. This is a technique that “allows the attacker to stealthily execute additional malicious APKs without having to embed them straight into the initial sample. This can be seen from both the network communication and the device logs,” said Wandera.

In order to trick security filters, the group behind RedDrop also used a pool of over 4,000 domains to distribute the malicious apps so that users are redirected multiple times, according to Wandera.

“It’s likely that RedDrop will continue to be employed by attackers even after these apps are flagged as malicious,” the company said. “As was seen in the case of SLocker last year, attackers are smart in creating variants of known malware in an attempt to bypass traditional security measures. We expect the same to be true of RedDrop in the coming months.”

Discussion

The same can be said for any software you download for any device through any avenue. The question is often not if you are getting it from an app store or not, but how trustworthy the vender is that produced it. For example, if you download an app for your bank straight from their website, it is generally safer than using an App store where there may be 5 apps that appear to be for your bank, but 4 of them are spyware. Inversely, getting an app strait from a random third party is riskier because that software is not subject to any security audit.
Also, mobile devices (across all brands) have been the big target in recent years; so, it is generally best to operate your phone with the minimum number of apps you really need, and take the time to confirm the identity & repute of the organizations distributing them.

Always use google play store for downloading apps because from there you can get reliable and trust-able application dont use other platform for downloading because its harmful and get harm your android device and memory, so do always best and get best. !!!

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.